-
-
Save ram-pi/6a66eb4f6fe35b4604037478d0458b41 to your computer and use it in GitHub Desktop.
Revisions
-
genaromadrid revised this gist
May 12, 2016 . 1 changed file with 1 addition and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -53,9 +53,8 @@ openssl dgst -sha1 -verify $root_pub_key_path -signature $sig_path $tbs_path ## Notes > The TBS certificate is the body of the actual certificate; it contains all the naming and key information held in the certificate. The only information in the actual certificate that is not held in the TBS certificate is the name of the algorithm used to sign the certificate and the signature itself. > The TBS certificate is used as the input data to the signature algorithm when the certificate is signed or verified. # Links - [OpenSSL RSA Util](https://www.openssl.org/docs/manmaster/apps/rsautl.html) -
May 12, 2016 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -55,6 +55,8 @@ openssl dgst -sha1 -verify $root_pub_key_path -signature $sig_path $tbs_path > The TBS certificate is the body of the actual certificate; it contains all the naming and key information held in the certificate. The only information in the actual certificate that is not held in the TBS certificate is the name of the algorithm used to sign the certificate and the signature itself. The TBS certificate is used as the input data to the signature algorithm when the certificate is signed or verified. > The signature of the certificate contains the fingerprint of the TBSCertificate # Links - [OpenSSL RSA Util](https://www.openssl.org/docs/manmaster/apps/rsautl.html) - [A very good explanation of Certificates](http://docstore.mik.ua/orelly/java-ent/security/ch10_04.htm) -
May 12, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -45,7 +45,7 @@ openssl sha1 -c $tbs_path # Since the CA signed the DER format of the TBSCertificate, you can just # verify the signature of the certificate with the public key of the root # passing the TBSCertificate as a param # If everything its fine you'll get a 'Verified OK' message or a 'Verification Failure' instead. openssl dgst -sha1 -verify $root_pub_key_path -signature $sig_path $tbs_path ``` -
May 12, 2016 . 1 changed file with 12 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,26 +18,34 @@ root_ca=intermediate_ca.pem root_pub_key_path=intermediate_ca.key.pem ### Extract signature from certificate # run the following and get the last bit position openssl asn1parse -in $cer last_bit_pos=819 # Put your own openssl asn1parse -in $cer -out $sig_path -noout -strparse $last_bit_pos ### Extract the public key of the root CA openssl x509 -in $root_ca -pubkey -noout > $root_pub_key_path ### Extract the TBSCertificate # Almost always -strparse param is 4 openssl asn1parse -in $cer -out $tbs_path -noout -strparse 4 ### Get fingerprint of the signature, the fingerprint of the TBS Cert and compare them # 1. Get the fingerprint of the signature with the root key openssl rsautl -in $sig_path -verify -asn1parse -inkey $root_pub_key_path -pubin # 2. Get the sha1 (or whatever algorithm was used) of the TBS Certificate openssl sha1 -c $tbs_path # Compare the signature fingerprint from step 1 with the sha1 of the tbs certificate. # if they match, the certificate was sign with the provided rootCa ### Other way to validate the certificate: # Since the CA signed the DER format of the TBSCertificate, you can just # verify the signature of the certificate with the public key of the root # passing the TBSCertificate as a param # If everything its fine you'll get a 'Verified OK' message or a 'Verification Failure' openssl dgst -sha1 -verify $root_pub_key_path -signature $sig_path $tbs_path ``` -
May 12, 2016 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,10 +12,10 @@ openssl verify -trusted ca_root.pem -untrusted intermediate_ca.pem certificate.p ```bash cer=certificate.pem sig_path=certificate.sig.bin tbs_path=certificate.tbs root_ca=intermediate_ca.pem root_pub_key_path=intermediate_ca.key.pem ### Extract signature from certificate -
May 12, 2016 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,6 +36,10 @@ openssl sha1 -c $tbs_path # Compare the signature fingerprint from step 1 with the sha1 of the tbs certificate. # if they match, the certificate was sign with the provided rootCa # Or you can run the following and expect a 'Verified OK' message openssl dgst -sha1 -verify $root_pub_key_path -signature $sig_path $tbs_path ``` ## Notes -
May 11, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -21,7 +21,7 @@ tbs_path=certificate.tbs # run the following and get the last bit position openssl asn1parse -in $cer last_bit_pos=819 # Put your own openssl asn1parse -in $cer -out $sig_path -noout -strparse $last_bit_pos ### Get fingerprint of the signature, the fingerprint of the TBS Cert and compare them -
May 11, 2016 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -44,5 +44,5 @@ openssl sha1 -c $tbs_path The TBS certificate is used as the input data to the signature algorithm when the certificate is signed or verified. # Links - [OpenSSL RSA Util](https://www.openssl.org/docs/manmaster/apps/rsautl.html) - [A very good explanation of Certificates](http://docstore.mik.ua/orelly/java-ent/security/ch10_04.htm) -
May 11, 2016 . 1 changed file with 5 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -41,4 +41,8 @@ openssl sha1 -c $tbs_path ## Notes > The TBS certificate is the body of the actual certificate; it contains all the naming and key information held in the certificate. The only information in the actual certificate that is not held in the TBS certificate is the name of the algorithm used to sign the certificate and the signature itself. The TBS certificate is used as the input data to the signature algorithm when the certificate is signed or verified. # Links [OpenSSL RSA Util](https://www.openssl.org/docs/manmaster/apps/rsautl.html) [A very good explanation of Certificates](http://docstore.mik.ua/orelly/java-ent/security/ch10_04.htm) -
May 11, 2016 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -37,3 +37,8 @@ openssl sha1 -c $tbs_path # Compare the signature fingerprint from step 1 with the sha1 of the tbs certificate. # if they match, the certificate was sign with the provided rootCa ``` ## Notes > The TBS certificate is the body of the actual certificate; it contains all the naming and key information held in the certificate. The only information in the actual certificate that is not held in the TBS certificate is the name of the algorithm used to sign the certificate and the signature itself. The TBS certificate is used as the input data to the signature algorithm when the certificate is signed or verified. -
May 11, 2016 . No changes.There are no files selected for viewing
-
May 11, 2016 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -34,5 +34,6 @@ openssl rsautl -in $sig_path -verify -asn1parse -inkey $root_pub_key_path -pubin openssl asn1parse -in $cer -out $tbs_path -noout -strparse 4 openssl sha1 -c $tbs_path # Compare the signature fingerprint from step 1 with the sha1 of the tbs certificate. # if they match, the certificate was sign with the provided rootCa ``` -
May 11, 2016 . 1 changed file with 2 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -14,6 +14,8 @@ openssl verify -trusted ca_root.pem -untrusted intermediate_ca.pem certificate.p cer=certificate.pem sig_path=signature root_ca=intermediate_ca.pem root_pub_key_path=intermediate_ca.key.pem tbs_path=certificate.tbs ### Extract signature from certificate @@ -24,9 +26,6 @@ openssl asn1parse -in $cer -out $sig_path -noout -strparse $last_bit_pos ### Get fingerprint of the signature, the fingerprint of the TBS Cert and compare them # 1. Get the fingerprint of the signature with the root key openssl x509 -in $root_ca -pubkey -noout > $root_pub_key_path openssl rsautl -in $sig_path -verify -asn1parse -inkey $root_pub_key_path -pubin -
May 11, 2016 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,7 +13,7 @@ openssl verify -trusted ca_root.pem -untrusted intermediate_ca.pem certificate.p ```bash cer=certificate.pem sig_path=signature root_ca=intermediate_ca.pem ### Extract signature from certificate @@ -24,7 +24,7 @@ openssl asn1parse -in $cer -out $sig_path -noout -strparse $last_bit_pos ### Get fingerprint of the signature, the fingerprint of the TBS Cert and compare them root_pub_key_path=intermediate_ca.key.pem tbs_path=certificate.tbs # 1. Get the fingerprint of the signature with the root key -
May 11, 2016 . 1 changed file with 16 additions and 23 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,46 +1,39 @@ # Certificate CA Validation ## The easy way To validate a certificate agains a certificate authority you just have to run ```bash openssl verify -trusted ca_root.pem -untrusted intermediate_ca.pem certificate.pem ``` > You'll see a 'OK' message at the end of the output ## The hard way ```bash cer=certificate.pem sig_path=signature root_ca=rootCa.pem ### Extract signature from certificate # run the following and get the last bit position openssl asn1parse -in $cer last_bit_pos=819 openssl asn1parse -in $cer -out $sig_path -noout -strparse $last_bit_pos ### Get fingerprint of the signature, the fingerprint of the TBS Cert and compare them root_pub_key_path=rootCa.key.pem tbs_path=certificate.tbs # 1. Get the fingerprint of the signature with the root key openssl x509 -in $root_ca -pubkey -noout > $root_pub_key_path openssl rsautl -in $sig_path -verify -asn1parse -inkey $root_pub_key_path -pubin # 2. Get the sha1 (or whatever algorithm was used) of the TBS Certificate openssl asn1parse -in $cer -out $tbs_path -noout -strparse 4 openssl sha1 -c $tbs_path # Compare the signature fingerprint from step 1 with the sha1 of the tbs certificate, if they match, the certificate was sign with the provided rootCa ``` -
May 11, 2016 . No changes.There are no files selected for viewing
-
May 11, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,46 @@ To validate a certificate agains a certificate authority you just have to run ```bash openssl verify -trusted ca_root.pem -untrusted intermediate_ca.pem certificate.pem ``` > You'll see a 'OK' message at the end of the output ```bash cer=spec/fixtures/certificate.pem sig_path=docs/signature root_ca=docs/rootCa.pem ``` #### Certificate against an authority certificate ```bash CA=docs/Banxico/AgenciaRegistradoraCentral.crt intermediate=docs/AC2_Sat.crt openssl verify -trusted $CA -untrusted $intermediate $cer ``` > You should see a 'OK' text at the end of the output ### Extract signature from certificate ```bash # run the ollowing to get the last bit position openssl asn1parse -in $cer last_bit_pos=819 openssl asn1parse -in $cer -out $sig_path -noout -strparse $last_bit_pos ``` ### Get fingerprint and compare with tbs ```bash root_pub_key_path=docs/AC2_Sat.key.pem tbs_path=spec/fixtures/production-certificate.tbs # 1. Get the signature fingerprint with the root key openssl x509 -in $root_ca -pubkey -noout > $root_pub_key_path openssl rsautl -in $sig_path -verify -asn1parse -inkey $root_pub_key_path -pubin # 2. Get the sha1 () of the tbs openssl asn1parse -in $cer -out $tbs_path -noout -strparse 4 openssl sha1 -c $tbs_path # Compare the signature fingerprint from step 1 with the sha1 of the tbs certificate, if they match the certificate was sign with the rootCa ```